diff --git a/docker/web/Dockerfile b/docker/web/Dockerfile
index 909e53b1..9bf89cee 100644
--- a/docker/web/Dockerfile
+++ b/docker/web/Dockerfile
@@ -30,6 +30,9 @@ ENV NODE_ENV=production
 ENV PORT=3000
 WORKDIR /app
 
+# Install gosu for privilege dropping
+RUN apt-get update && apt-get install -y --no-install-recommends gosu && rm -rf /var/lib/apt/lists/*
+
 RUN groupadd -g 1001 nodejs && useradd -r -u 1001 -g nodejs nextjs
 
 COPY --from=builder /app/public ./public
@@ -45,8 +48,11 @@ COPY --from=builder /app/prisma ./prisma
 # Create data directory for SQLite database
 RUN mkdir -p /app/data && chown -R nextjs:nodejs /app/data
 
-USER nextjs
+# Copy entrypoint script
+COPY docker/web/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
 
 EXPOSE 3000
 
-CMD ["node", "server.js"]
+# Run as root so entrypoint can fix permissions, then switch to nextjs
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/docker/web/entrypoint.sh b/docker/web/entrypoint.sh
new file mode 100755
index 00000000..7097d7ee
--- /dev/null
+++ b/docker/web/entrypoint.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+set -e
+
+# This script runs as root first to fix permissions, then switches to nextjs user
+
+DB_PATH="${DATABASE_PATH:-/app/data/caddy-proxy-manager.db}"
+DB_DIR=$(dirname "$DB_PATH")
+
+echo "Setting up database directory permissions..."
+
+# Ensure the data directory is owned by nextjs user
+chown -R nextjs:nodejs "$DB_DIR"
+
+# Switch to nextjs user and initialize database if needed
+gosu nextjs sh -c '
+    DB_PATH="'"$DB_PATH"'"
+
+    if [ ! -f "$DB_PATH" ]; then
+        echo "Database not found, initializing..."
+        npx prisma db push --skip-generate
+        echo "Database initialized successfully"
+    else
+        echo "Database exists, applying any schema changes..."
+        npx prisma db push --skip-generate --accept-data-loss 2>/dev/null || true
+    fi
+
+    echo "Starting application..."
+    exec node server.js
+'
\ No newline at end of file